[Samba] Retaining Permissions on a share

Neil nwilson123 at gmail.com
Tue Aug 22 12:35:39 UTC 2017 

Hi Rowland,

Sorry to trouble you, but I'm rather stuck here.

Any help is appreciated.

Regards.

Neil Wilson.

On Thu, Aug 17, 2017 at 3:44 PM, Neil <nwilson123 at gmail.com> wrote:

> Hi all,
>
> Sorry to repost about this same issue once again, but I'm really at a
> complete loss as to how to solve the problem with ownership being changed
> after I've set it.
>
> I've set ownership as follows... ( set this by chmod -R 0770 HR, as well
> as chgroup -R HR-Group, I then signed into a Windows PC that was part of
> the domain, went to computer management as per the WIKI and chose "connect
> to remote computer" went to the sharing on this DC and under sharing only
> set HR-Group, and then under permissions I set HR-Group, Domain
> Administrator, and I even tried setting Creator Group to HR-Group, but this
> doesn't show when looking through getfacl...
>
> [root at headoffice data]# getfacl HR
> # file: HR
> # owner: 3000238
> # group: CBL-HO\134HR-Group
> user::rwx
> user:root:rwx
> group::rwx
> group:CBL-HO\134HR-Group:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000238:rwx
> default:group::rwx
> default:group:CBL-HO\134HR-Group:rwx
> default:mask::rwx
> default:other::---
>
> ...yet when a user creates a folder inside HR they then become the owner
> and the group changes to "Domain users" and therefore no one else can save
> into this folder, below is an example...
>
> data/HR/Recruitment and Selection/lisa
>
> [root at headoffice Recruitment and Selection]# getfacl lisa
> # file: lisa
> # owner: CBL-HO\134lpretorius
> # group: CBL-HO\134Domain\040Users
> user::rwx
> user:CBL-HO\134lpretorius:rwx
> group::r-x
> group:CBL-HO\134Domain\040Users:r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:CBL-HO\134lpretorius:rwx
> default:group::r-x
> default:group:CBL-HO\134Domain\040Users:r-x
> default:mask::rwx
> default:other::r-x
>
> Not sure if the entire email history is attached, but the share is
> configured as ...
>
> [HR]
>         path = /var/lib/samba/data/data/HR
>         read only = No
>
> I've set the SeDiskOperatorPrivilege to the group HR-Group as well as my
> domain administrator which is the user I signed onto to set the share
> permissions.
>
> How can I prevent users from creating folders owned by themselves and
> thereby locking other group members out of the folder?
>
> Thanks.
>
> Regards.
>
> Neil Wilson
>
>
> On Tue, Jun 13, 2017 at 3:14 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Tue, 13 Jun 2017 15:03:49 +0200
>> Neil <nwilson123 at gmail.com> wrote:
>>
>> > On Tue, Jun 13, 2017 at 1:17 PM, Rowland Penny via samba <
>> > samba at lists.samba.org> wrote:
>> >
>> > > On Tue, 13 Jun 2017 12:25:32 +0200
>> > > Neil <nwilson123 at gmail.com> wrote:
>> > >
>> > > > Hi Rowland,
>> > > >
>> > > > Thank you for the reply and info.
>> > > >
>> > > > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org>
>> > > > wrote:
>> > > >
>> > > > > On Tue, 13 Jun 2017 09:15:40 +0200
>> > > > > Neil via samba <samba at lists.samba.org> wrote:
>> > > > >
>> > > > >
>> > > > > OK, this a DC and therefore you will have to do things
>> > > > > differently from a Unix domain member.
>> > > > >
>> > > > > You might as well remove these lines from [global]
>> > > > >
>> > > > >     winbind use default domain = yes
>> > > > >     vfs objects = acl_xattr
>> > > > >     map acl inherit = Yes
>> > > > >     store dos attributes = Yes
>> > > > >
>> > > > > The first doesn't work on a DC and the others are built into the
>> > > > > 'samba' deamon and so could be causing problems.
>> > > > >
>> > > > > You should also make the [HR] share look like this:
>> > > > >
>> > > > > [HR]
>> > > > >         path = /var/lib/samba/data/data/HR
>> > > > >         read only = No
>> > > > >
>> > > > > Now go and read this:
>> > > > >
>> > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wi
>> ndows_ACLs
>> > > > >
>> > > > > You must use Windows ACLs on a DC.
>> > > > >
>> > > >
>> > > > Thanks I've cleaned up the smb.conf (and HR share) and had a full
>> > > > read again, but I'm still not sure how this will prevent users
>> > > > from becoming owner (shows using getfacl as the extended
>> > > > attributes) the files if they save it or if they create a
>> > > > directory.
>> > > >
>> > > > From what I've seen the only difference I've done, is because I
>> > > > set the permissions to 777 on the initially I didn't have to set
>> > > > the SeDiskOperatorPrivilege
>> > > > although I was using the user who already had this permission.
>> > >
>> > > Using '777' means that you now have a wide open share.
>> > >
>> >
>> > Yes thanks, it was just used to reset permissions initially, I'll use
>> > the SeDiskOperatorPrivilege to avoid having to "loosen" the
>> > permissions.
>> >
>> >
>> > > >
>> > > > One other thing is that the current HR share is 100GB's + and
>> > > > changing permissions from the Windows side takes hours, is there
>> > > > a quicker way to set both the sharing permissions and the
>> > > > Security permissions for group HR-group using setfacl? I've tried
>> > > > setting it using setfacl but couldn't seem to get this right.
>> > > >
>> > > > Apologies if I've misunderstood or if I'm missing something.
>> > > >
>> > > > Thank you!
>> > > >
>> > > > Regards.
>> > > >
>> > > > Neil Wilson
>> > > >
>> > >
>> > > # getfacl /srv/samba/Demo/
>> > > # file: srv/samba/Demo/
>> > > # owner: root
>> > > # group: root
>> > > user::rwx
>> > > user:root:rwx
>> > > group::---
>> > > group:root:---
>> > > group:domain\040users:rwx
>> > > group:domain\040admins:rwx
>> > > mask::rwx
>> > > other::---
>> > > default:user::rwx
>> > > default:user:root:rwx
>> > > default:group::---
>> > > default:group:root:---
>> > > default:group:domain\040users:rwx
>> > > default:group:domain\040admins:rwx
>> > > default:mask::rwx
>> > > default:other::---
>> > >
>> > >
>> > >
>> > > This shows that the share directory is owned by root:root and the
>> > > user root can do anything, but root group members cannot do
>> > > anything. Extended ACLs for Domain Users and Domain Admins, allow
>> > > members of these groups to do anything
>> > >
>> > > The settings shown on the wiki page are only examples, so you can
>> > > change them if you wish. If you are going to only administer the
>> > > share using the 'Administrator' user then you can leave the owner
>> > > group alone, but if you want to use members of a group, you will
>> > > need to 'chmod' the group ownership and then give the group the
>> > > 'SeDiskOperatorPrivilege'
>> > >
>> >
>> > Great thanks, I didn't realise that I'd need to set the group to the
>> > "diskOperatorprivilege" that makes completely sense now!
>> >
>> > Thank you for your help, I'll go ahead and give this a try.
>> >
>>
>> One thing I neglected to mention, you will need to give the group the
>> 'SeDiskOperatorPrivilege' on the Samba machine that holds the share.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list